2021/Pop-ups/IndieAuth2

IndieAuth 2 2021 was an IndieWebCamp Pop-ups 2021 session and the 2nd IndieAuth session of 2021.

Summary

At the end of the last IndieAuth protocol session, there was a discussion of following up in a few weeks to finish what we could not. This popup IndieWebCamp session will continue the discussion to iterate and evolve the IndieAuth protocol.

Details

• facilitators: Aaron Parecki
• Participants: David Shanske, David Somers [omz13], capjamesg,   Jamie Tanna, Martijn van der Ven
• Date: 2021-10-16
• Time: 07:30 Pacific
• event: https://events.indieweb.org/2021/10/indieauth-2-popup-session-5y88zAw4LtO9
• hashtag: #indieauth2
• Video: ▶️01:59:24s
• Etherpad: https://etherpad.indieweb.org/2021-10-indieauth-popup

Notes

Archived from https://etherpad.indieweb.org/2021-10-indieauth-popup

• Make IndieAuth token introspection endpoint credentialed, so it is clear that this should only be used by Resource Servers. While there was a consensus on adopting the token introspection endpoint request and response, we did not conclude on what type of authentication. https://github.com/indieweb/indieauth/issues/99
  • Authentication is likely to be required, but in practice, requires further investigation (see below)
  • Aaron Parecki would like this to be some sort of dynamic client registration / "enrollment" that happens automagically when i.e. setting up a relationship with Aperture
  • Discussion as to whether i.e. Aperture / other shared platforms could lead to needing some out-of-band authentication sharing - follow-up investigation required
  • Jamie Tanna notes that, while integrating his IndieAuth server with OAuth2 clients, he found that the token_endpoint (not the token introspect endpoint, as mentioned on the call) may require `client_id` to be retrieved from `Authorization: Basic ...`, depending on how they work
  • Jamie Tanna has implemented this, and integrated this using the Spring Security and rack-oauth2 OAuth2 clients, and allows for using empty authentication (which could then be HTTP Basic Auth)
  • Consensus for now: Add to PR on introspection it is required, but not specify how at this time, allowing implementers to decide.
• Introduce OAuth Server Metadata https://github.com/indieweb/indieauth/issues/43
  • Jamie Tanna has a metadata endpoint now, getting it working was pretty straightforward
  • David Somers has a metadata discovery facility: see https://toolbox.imoxia.com/#authmetadisco (now supports discovery using rel=indieauth_metadata)
  • Rel=indieauth-metadata as opposed to rel=indieauth to indicate it is the metadata endpoint over being confused for the issuer URL. Opportunity to use - over _ as _ not allowed in http headers.
  • May address #98 in that we could more easily add endpoints.
  • Recommend placing it as .well-known for compat, but not require?
  • Note about fallback to old endpoints for compat
• Consider adopting the iss parameter https://github.com/indieweb/indieauth/issues/101
  • Dependent on the iss parameter being defined in the server metadata document. So, no fallback if there is a metadata document.
  • iss value should be the home page of the indieauth server, and is expliclty not the authorization endpoint
• Discuss whether IndieAuth adopt resource indicators(https://github.com/indieweb/indieauth/issues/82) as a notation, and note any specific considerations for IndieAuth. Even though Ticket Auth prompted this, this is not specifically a Ticket Auth issue. Proposed PR https://github.com/indieweb/indieauth/pull/96
  •   Jamie Tanna adds the `aud` of `https://www-api.jvt.me/` into all tokens, and currently does not enforce it anywhere. The enforcement would be added in the future, restricting at a resource server level whether the access token can be utilised
  • Discussion is also around whether we use Resource Indicators for Ticket Auth
  • Sample private post doing www-authenticate: https://toolbox.imoxia.com/private/codecow with a realm indicator
  • Scopes may not be required if resources are provided, and this could be specified in spec.
  • Whether an access token is issued changes from only whether scopes are requested to whether scopes or resources are requested
• Making the various token endpoint overrides consistent https://github.com/indieweb/indieauth/issues/98
  • Rewrite Introspection PR to support metadata to no longer be part of token endpoint as proposal.
  • Consider rewriting revokation to be defined as an endpoint with server metadata.
• Clarifying what names are returned in user profiles https://github.com/indieweb/indieauth/issues/93
  • Define name in the spec and its application.
  • It feels like the most straightforward solution would be to keep the existing "name" param and define it more specifically in the spec
• Clarify whether profile information is returned when a refresh token is used
• Consider adopting a userinfo endpoint, possibly after OAuth server metadata

• What clients can we test with?
•   Jamie Tanna has used https://github.com/FusionAuth/fusionauth-jwt/ to provide OAuth Server Discovery by $issuer or by $issuer/.well-known/...
  •   Jamie Tanna seems to have found support in Spring Security https://docs.spring.io/spring-security/site/docs/current/api/org/springframework/security/oauth2/client/registration/ClientRegistrations.html#fromIssuerLocation(java.lang.String)

Not Discussed

• Client Information Discovery improvements.
  • Should this solely rely on Microformats? https://github.com/indieweb/indieauth/issues/23
  • Should we adopt a manifest file and what should be displayed if no app info discovered? https://github.com/indieweb/indieauth/issues/64. #23 suggests other fields that might be relevant, such as the icon and name from the page.

See Also